wallet: RPC calls that “leak” private keys should be disabled by default #8544

issue laanwj openend this issue on August 19, 2016
  1. laanwj commented at 8:54 am on August 19, 2016: member

    Someone on IRC is pretending to be tech support, and tells users use the dumpprivkey RPC call and give the resulting information. Then he moves the coins to their own wallet.

    All in all it is too easy to make the wallet leak information that can be used to steal the contents, without people realizing (its name is not obvious, like sendtoaddress).

    A possible mitigation would be to disable all wallet RPC calls that return private keys by default, make them emit a WARNING, and only enabling them with a specific command line option. This would provide advance warning, and also puts up a barrier for non-technical users.

    (on the other hand, where does this rabbit hole end, someone could social engineer to get someone to use signrawtransaction just as well… almost all wallet RPC calls are dangerous in one way or another)

    So another, more general, option would be to show very-serious looking warning when opening the debug console, that people are using it to steal blabla. But that’d be GUI only.

  2. laanwj added the label Wallet on Aug 19, 2016
  3. midnightmagic commented at 8:59 am on August 19, 2016: contributor
    In fact it appears a signrawtransaction was part of the same scam. :-( (Assuming it did in fact happen and wasn’t just performance art.)
  4. luke-jr commented at 9:13 am on August 19, 2016: member
    I wonder if it would be sufficient to just treat an unencrypted wallet as encrypted for debug window purposes, and add a warning when unlocking it?
  5. laanwj commented at 9:23 am on August 19, 2016: member
    untitled
  6. jonasschnelli commented at 9:26 am on August 19, 2016: contributor

    Nice mockup. There are also tutorials that guide people to the debug console in order to see their wallet state (HD enabled as example).

    I could think of: -> showing the red warning text (mockup) once you first fire off a “protected” command (dumpprivkey, dumpwallet), the command would be ignored.

  7. laanwj commented at 9:28 am on August 19, 2016: member

    Yes, that warning is intended to be only one part of the protection. This doesn’t rule out disabling key-leaking commands as well. Multiple levels of ‘defense’ could be used.

    But I can see a user being scammed into using some other command, maybe a combination of commands we can’t even imagine, so I’ve kept this one general.

  8. MarcoFalke commented at 9:38 am on August 19, 2016: member
    I’d avoid the word “Scammers” and replace it with a general warning that sharing any information displayed in the debug window can leak sensitive information or even expose your funds to theft.
  9. laanwj commented at 9:53 am on August 19, 2016: member
    Why? the problem is exactly scammers. Wording it any less strongly is not going to make people read it better.
  10. btcdrak commented at 10:03 am on August 19, 2016: contributor
    Scammer is exactly the right word, with the intended meaning. Diluting this message for more polite language is wrong.
  11. MarcoFalke commented at 10:04 am on August 19, 2016: member

    If people are aware that the person on the other end is a scammer, you don’t need the warning.

    Any scam works by letting people think everything that is going on is totally legit.

    “Oh I have a problem with my software on the computer; I am not tech guy, so I will try to get help somewhere online. Oh, those are nice people. They are so kind and they seem intelligent. I should probably do what they tell me to do. All I want is to fix this damn problem. Oh, my bitcoins are gone…”

  12. laanwj commented at 10:06 am on August 19, 2016: member
    It may cause them to realize that someone is a scammer though, if they ask to do anything in this console.
  13. molxyz commented at 3:42 pm on August 19, 2016: none
    Could you also please look at the command “dumpwallet”. This command dumps not only addresses but also the private keys along with it. I do like the command to give me a list of addresses on my wallet but I don’t need it to expose all the private keys. Thank you.
  14. MarcoFalke commented at 3:49 pm on August 19, 2016: member
    @laanwj Fine, anything is an improvement over the current situation. Pull requests welcome :)
  15. rebroad commented at 0:53 am on August 21, 2016: contributor
    I like the mock-up message by @laanwj but I think upon opening the debug window is the wrong place, and prefer @luke-jr’s suggestion, UNLESS the wallet is unencrypted, in which case the warning should mention this when opening the debug window - (assuming unencrypted wallets are still being permitted.)
  16. laanwj commented at 9:41 am on November 21, 2016: member
    See also: Add a footgun warning to any privkey operation. #4176
  17. unsystemizer commented at 8:40 pm on January 15, 2017: contributor

    Could you also please look at the command “dumpwallet”

    What about it? All commands in the console are potentially sensitive, including listaccounts. No precautionary measure should create issues for heavy console users. No console command, including listaccounts, should be executed if its result are to be shared with a person who shouldn’t have that info.

    Where to put a warning:

    • Settings > Options > Advanced
    • Enable command console features (checkbox)
    • Here put a click-through warning

    I would prefer something like this: The sharing of information from Debug Console or allowing other persons to directly or indirectly operate it may lead to a complete and irrecoverable loss of wallet contents. <small>Please consult Bitcoin Core User Guide for additional information on high-risk console commands.</small>

    Most people won’t consider the helpful guy from computer store around the corner a scammer so that word isn’t a good choice (it can even make one get more easily scammed by a non-scammer type). Users generally shouldn’t readily permit anyone access the Console. Other tabs in Help > Debug are okay, and there’s a Reset Options button for easy “restart”, so there’s no reason for any 3rd party to need access to the console or its output, whether they’re Tech Support from your bitcoin exchange or scammers from (feel free to stereotype a country of your choosing).

  18. laanwj closed this on Nov 22, 2019

  19. DrahtBot locked this on Dec 16, 2021

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-18 18:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me